Hi
Yesterday, the folks at University of Westminster put me on the track of discovering rather a flaw in my 1.3 to 2.x migration strategy which some are following.
The aim of the strategy is to allow you to listen on both Shibboleth 1.3 and Shibboleth 2 endoints. Rod did this in http://www.ukfederation.org.uk/content/Documents/RollingIdPUpgrade by adding Shibboleth 2 endpoints to his 1.3 IdP (albeit as /shibboleth-idp/ rather than the default /idp/ ) then Propagating a metadata change, waiting till everyone had moved over to them and then swapping in a 2.1 IdP also listening on those endpoints.
I didn't like this as it firstly meant modifying the working Shibboleth 1.3 IdP and secondly you were then committed to running 2.x with a non default configuration which updates might clash with.
Instead, my strategy allowed you to run both IdPs for the changeover period serviced through the one common entry point with the theory that I could handle SPs that had not updated their metadata in parallel with those that had and it (nearly) works.
Take 4 scenarios:
1) If an SP has updated its metadata, like all good SPs should -
Everything will work.
2a)
SP has old metadata
User goes to an SP which uses its own WAYF
SP will look up our ENTITYID in its (old) metadata and send user to 1.3 IdP to authenticate
SP will look up our ENTITYID in its (old) metadata and then go to 1.3 IdP for attributes
Everything will work
2b)
SP has old metadata
User goes to SP using session initiator link from our site (e.g. JSTOR: http://www.jstor.org/start-session? entityID=IdP-ENTITYID&target=target-url )
SP will look up our ENTITYID in its (old) metadata and then send user to 1.3 IdP to authenticate
SP will look up our ENTITYID in its (old) metadata and then go to 1.3 IdP for attributes
Everything will work
2c)
SP has old metadata
User goes to SP which directs user to the UK Federation WAYF
UK Fed Wayf has NEW metadata and sends the user to the 2.1 IdP to authenticate
SP will look up our ENTITYID in its OLD metadata and then go to 1.3 IdP for attributes
BUST
OOPS.
This explains the split personality which I'd observed on just a few SPs which I'd blamed on them, sorry!
My apologies for those who've followed this approach and been bitten by it - I'm still thinking of a work around! Of course, in an ideal world, or even a world where bodies actually did what they'd already agreed to do, none of this would be a problem (for more than a day)....
Andy
************************************************************
Please consider the environment. Do you really need to print this email?
The University of Dundee is a registered Scottish charity, No: SC015096
|